June 14, 2021
Good morning, everyone!
First authorized C3PAO encourages scope reduction
We are now off to the races! The first Certified Third-Party Assessment Organization (C3PAO) authorized to conduct official CMMC assessments has been announced (Redspin, a division of CynergisTek) and more are coming soon:
“Reaching this step in getting the CMMC ecosystem up and running is a significant milestone and we look forward to authorizing additional C3PAOs in the coming days and weeks,” said CMMC-AB chief executive Matthew Travis.
In an interview with InsideCybersecurity.com, CEO Caleb Barlow stated that he has one CMMC Provisional Assessor on staff, and is in talks to bring on more as contractors. He is working with the CMMC and DoD on the final steps necessary to begin conducting assessments “in a matter of weeks.”
Here are a few key quotes from the interview:
Barlow said CynergisTek started to prepare for its DIBCAC assessment “over a year ago” and the hardest part was getting the documentation together to meet the CMMC requirements.
The attention should be on “Where do I need to have CUI? Can I get rid of it in certain areas or consolidate it in certain areas to reduce that risk and where I do need it? How do I isolate it as much as possible to reduce that risk?”
Looking at CMMC “like any other compliance effort where [the] IT team and security team have a bunch of documentation” that needs to be filled out along with “a bunch of steps that they need to go through” is not going to work, Barlow said. “If that is the attitude that people approach it with, they will absolutely fail.”
To prepare for the DIBCAC assessment, Barlow said his company changed their “processes” including figuring out “where we need to actually touch CUI and how do we reduce the number of times and locations we need to touch it.” Redspin’s work shifted to reducing the number of people who have access to the CUI and isolating the information “as much as possible,” Barlow said.
Key Takeaways
Reduce the scope, build a CUI enclave, and start work on your documentation. The time to prepare is now.
And keep reading my CMMC Updates! Have a great week.
P.S. – Need help? I’m just an email or phone call away!
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab. Feel free to share this update!
Sincerely,
Glenda R. Snodgrass
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107
If you enjoy these updates, you might also enjoy my weekly newsletter "Cyber Security News & Tips" -- sign up now!